Our nation’s perimeter defenses are of paramount importance in securing U.S. citizens from external threats. Physical security has been a more tangible objective, while cyber security has fallen behind the sophistication of hackers and malicious nation-states.
Internationally known cyber standardization expert George Arnold walks us through the serious nature of our current critical infrastructure cyber security, and what can be done to strengthen it.
Protecting Critical Infrastructure from Cyber Threats: What Can We Do?
By George W. Arnold
There are many essential systems that support our society, economy, and way of life – such as the electric grid, communications, banking, health care, transportation, and others. Critical infrastructure refers to those systems – categorized into sixteen sectors – whose incapacity or destruction would have a debilitating impact on national security, economic security, public health or safety.
For decades, critical infrastructure systems have depended upon computer-based controls, software and data communication to operate. In the past, limited interconnectivity meant that disruptions were often localized. As these systems became increasingly pervasive and interconnected, they became more vulnerable to cyber attacks with the potential to cause crippling and prolonged outages and even damage to the associated physical assets.
One of the largest cyberattacks ever occurred in 2012 at Saudi Aramco, which produces 12% of the world’s oil output. A computer technician was duped into opening a scam email containing a link that downloaded a piece of malware known as “Shamoon” (Paglieri, 2015). The virus rapidly propagated through the company’s network and partially wiped or destroyed 35,000 computer workstations. It took five months to fully recover. Fortunately, only the business systems, like payment and email, were affected. The computers controlling the company’s oil production were isolated from the rest of the network, permitting oil production to continue while the rest of the company struggled to operate with pencil and paper and faxes. A variant of the Shamoon virus surfaced again early in 2017 in a new attack that struck several organizations in Saudi Arabia.
Critical Infrastructure Sectors
Defense Industrial Base
Food and Agriculture
Healthcare and Public Health
More recently, in 2017, there have been reports of attempts to breach systems at U.S. power plants. (Perlroth, 2017) Fortunately, the potential impacts of these attacks were limited to administrative and business systems, not the control systems that are on isolated networks. However, critical control systems can be attacked through insider threats, such as a compromised employee introducing malware on a USB key. People and their actions are the weakest link in a cybersecurity defense. The potential for damage was demonstrated by the Stuxnet virus, which spread to 14 industrial sites and destroyed 1,000 centrifuges at an Iran nuclear facility in 2010. (Kushner, 2013) While such a disruptive incident has not occurred to date in the U.S., a successful attack might be able to cause physical damage in a major chemical plant or manufacturing facility, or disrupt portions of the electric grid for a period of time.
One challenge that some industries face in protecting their critical control systems is that in legacy infrastructures, such as the power grid, many of the embedded computer-based controls were installed decades ago and have limited computing power. Such equipment needs to be upgraded to support robust encryption and other cybersecurity controls – a process taking place as the power grid is modernized.
What this highlights is that each organization that owns and operates critical infrastructure faces a unique challenge in identifying its specific vulnerabilities and threats in order to put in place the right set of countermeasures and controls to manage cyber-risk – there is no one-size-fits-all solution. A little known fact is that eighty-five percent of the nation’s critical infrastructure is owned and operated by the private sector. Therefore, while the government has a critical leadership and coordination role to play, the primary responsibility for protecting critical infrastructure from cyber threats rests with companies in the private sector. Fortunately, there is a lot of good guidance available from the U.S. government and other sources to help organizations address the challenges.
In 2013, then-President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” calling for an updated and overarching national framework led by the Department of Homeland Security (DHS) for coordinating protection, detection, mitigation of and recovery from cyber incidents. (Department of Homeland Security, 2017) Among other things, the order directed the National Institute of Technology (NIST) to develop a voluntary risk-based cybersecurity framework providing a set of industry standards and best practices to help organizations cost-effectively address cybersecurity risk in critical infrastructure. Version 1.0 of the Framework was published in February 2014, and a draft update (1.1) is available on the NIST website. (National Institute of Standards and Technology, 2017) The Trump administration has continued the emphasis on increasing cybersecurity with a new executive order that builds upon the previous one, and among other things, makes use of the NIST Cyber Security Framework mandatory for federal agencies. (The White House, 2017)
The NIST “Framework for Improving Critical Infrastructure Cybersecurity” is the most comprehensive framework available to help organizations manage cyber risk in critical infrastructures. It provides a set of concepts, practices and informative references that enable an organization to design, implement, and improve a customized risk-based process to identify, protect, detect, respond, and recover.
Standards like the NIST Cyber Security Framework are essential tools, but are effective only if they are used effectively by organizations that own and operate critical infrastructure. The massive data breach at Equifax, which affected 145.5 million consumers, is under active investigation by federal authorities. (Bernard, 2017) The incident has so far led to the departure of the Chief Executive, Chief Information and Chief Security Officers, and a loss of nearly 25% of Equifax stock price.
The responsibility for ensuring an organization is effectively managing its cyber risk rests squarely with the executive management and board of directors of an organization. When management and boards fail to manage cyber risk, they not only threaten public safety and security, they also face severe personal consequences and liability.
- Bernard, T. S. (2017, September 18). Prosecutors Open Criminal Investigation Into Equifax Breach. Retrieved October 24, 2017, from nytimes.com: https://www.nytimes.com/2017/09/18/business/equifax-breach-federal-investigation.html
- Department of Homeland Security. (2017, July 14). Strengthening the Security and Resilience of the Nation’s Critical Infrastructure. Retrieved October 24, 2017, from dhs.gov: https://www.dhs.gov/strengthening-security-and-resilience-nations-critical-infrastructure
- Kushner, D. (2013, February 26). The Real Story of Stuxnet. Retrieved October 24, 2017, from IEEE Spectrum: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
- National Institute of Standards and Technology. (2017, January 10). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved October 24, 2017, from nist.gov: https://www.nist.gov/sites/default/files/documents////draft-cybersecurity-framework-v1.11.pdf
- Paglieri, J. (2015, August 5). The Inside Story of the Biggest Hack in History. Retrieved October 24, 2017, from CNN tech: http://money.cnn.com/2015/08/05/technology/aramco-hack/index.html
- Perlroth, N. (2017, July 6). Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say. Retrieved October 24, 2017, from New York Times: https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html?_r=0
- The White House. (2017, May 11). Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Retrieved October 24, 2017, from whitehouse.gov: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
It’s time to collectively realize the game of catch-up our nation is now playing versus sophisticated hackers and ill-meaning nation-states. General Don Cook, USAF (Ret), explains the severity of consequences we face if a more secure critical infrastructure isn’t prioritized, and how those goals can be achieved.
A Wake-Up Call For Public & Private Sectors: Your Country Needs You
By General Don Cook, USAF (Ret)
The United States enjoys a standard of living largely being taken for granted. We have ample clean water, reliable electricity, and safe air travel. The U.S. economy is currently on a broad upswing, represented by low unemployment and record-high stock markets. In spite of the horrific devastation created by hurricanes Harvey, Irma, Maria, and the seemingly never-ending forest fires across America, we remain steadfast and are resilient. Federal, State and Local governments have responded adequately, and Iet us not forget the responses from our fellow citizens and charitable organizations. So, when it comes to natural disasters, we prepare, assist and recover. To reinforce this point, since 2005, there have been 14 named hurricanes that have made landfall in the U.S. During these events, we understand there may be no water, electricity and other essential services. Residents in these areas have learned to anticipate the consequences of these storms.
Not all crises are anticipated, however. What happens when the unexpected or unanticipated occurs, such as the 9-11 terrorist’s attack directed at the U.S. financial center, or a cyber attack directed at one or more of the 16 U.S. critical infrastructures? In the case of 9-11, the U.S. first responded militarily with Allies. Subsequently, the Bush Administration created Federal agencies, specifically The Department of Homeland Security (DHS). Policies and procedures to decrease the Iikelihood of another successful terrorist attack in the U.S. were established. For example, the Transportation Security Administration (TSA) is tasked with transportation (airport) security.
While it pre-dates 9-11, the Foreign Intelligence Surveillance Act of 1978 (FISA), which allows for the physical and electronic surveillance and collection of foreign intelligence information between foreign powers and their agents suspected of espionage or terrorism, is under extension consideration by Congress. Additionally, in 2003, The National Counterterrorism Center (NCTC) was established under the Office of the Director of National Intelligence. The NCTC brings together experts from the CIA, FBI, and Defense to collect and analyze data, and potentially act on information to thwart terrorist acts prior to their initiation. These agencies and others have allowed the U.S. to remain vigilant, and to deter, respond, assist and recover. Are we likewise prepared in the cyber arena to protect America′s critical infrastructure?
The United States and other industrialized countries have become targets for cyber-terrorists. These attacks, whether initiated by state-sponsored actors or non-state actors, have become increasingly successful at disrupting our daily Iives. To date, these cyber breaches have focused on the private sector with a growing list of household names such as: Target, Windham, Yahoo and Equifax, to name just a few. Ultimately, a corporation’s value in the market decreases and its ability to effectively respond today is questionable. Public confidence is waning. One would expect that it is only a matter of time until an attempt is successful in breaching one of the nation′s critical infrastructures. Where do we stand on preventing this from happening?
lt should not be a surprise that the organizational parallels to combating cyber risk are not unlike those for countering terrorism. Fundamentally, both begin with the Federal government. Establishing policies and processes to identify, deter and respond to an attack may even require new agencies to be created. National internet protection and cyber security policies may need to be rewritten or enhanced, which is underway within the Trump administration with the President’s signing of Executive Order (EO) 13800 in May 2017. This EO, “Strengthening the Cybersecurity of the Federal Networks and Critical Infrastructure,” establishes, among other directives, that: 1) “cybersecurity risk as an executive branch enterprise,’” 2) agency heads be held accountable for their cybersecurity, 3) agency heads must use the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), and 4) agency heads must provide to the DHS and the Office of Management and Budget (OMB) a management report within 90 days.
The Department of Defense will consolidate its cyber security mission with the announcement this past August that United States Cyber Command will be designated a Unified Combatant Command with sole responsibility for addressing cyber threats within the military. At present, Cyber Command shares this responsibility with U.S. Strategic Command and the National Security Agency (NSA).
The Federal government can clearly direct the military to reorganize to better address cyber threats for the purposes of military efficiencies and effectiveness. The President can sign an EO directing agencies to set in motion systems to enhance their agencies’ cybersecurity. The question remains: Is the Federal government responsible for the security of U.S.’s critical infrastructure to prevent a cybersecurity breach? If not, what roIe should the government play?
Consider for a moment the following sectors designated as critical infrastructure: the financial system, the eIectricaI power grid, and the communications networks. While these three sectors are government regulated, they are, with the exception of the Federal Reserve, led and managed by publicly-traded companies (Farida Power and Light, AT&T and Chase, etc.). Each company within these sectors is responsible for securing their networks and is beholden to shareholders. Moreover, there is competition within each of these sectors for revenue, taIent, market share and the necessity to protect proprietary information and corporate strategies. So, there are limits as to how much government involvement is acceptable. However, the Federal government can and should pIay an important role in critical infrastructure protection. The President′s Iong-standing National Infrastructure Advisory Council recently recommended initiatives that could be effective in establishing trust through public-private partnerships to address several of the concerns. A few include: having secure networks; machine-to-machine information sharing; rapid declassification of cyber threat data; identification and implementation of best-in-practice scanning and assessment tooIs; and use of the national-leveI GRIDEX to exercise and test potential solutions. There is more that can be done to enhance cybersecurity in general and specifically as it relates to critical infrastructure:
- Companies that have robust cybersecurity programs in place should be granted tax credits for these expenditures, much like the current R&D tax credit. This would clearly enhance corporate cybersecurity awareness.
- Promote cyber education as a core curriculum beginning in middle-schools. In 2009, the Air Force Association initiated a program called, “Cyber Patriot,” whose goal was to promote cyber education in middle-schools through a cyber competition. In 2010, 200 teams applied. ln 2017, Cyber Patriot IX had a participant registration of 4,404. MiddIe-schooI teams from across the United States, as well as South Korea and Japan, will be competing in Cyber Patriot.
- Revise the government procurement processes. Acquisition of new tooIs to fight cyber-terrorism are too cumbersome, too expensive, and takes too Iong. Treat the procurement of advanced cyber tools as essential combat-related necessity and punch through the acquisition bureaucracy.
- Appoint a standing committee of the leaders in the critical infrastructure space and government official to build trust and confidence.
- Conduct frequent and focused exercises, by sector, with limited participants aimed at specific goals to build trust and confidence between government and industry. Codify the results of these exercises into policies, processes and procedures, and make the Iessons learned transparent to all sectors.
These are a few personal recommendations, and there are many more that should be considered. Setting policy, processes and procedures to recognize, deter, and respond to a cyber terrorist event aimed at U.S. critical infrastructures is perhaps the most important near-term threat facing the United States today. Americans have always risen to challenges, and those who can meet those challenges best reside within the private sector of our economy. It is time to understand that cyber breaches of U.S. corporations are not “black-swan” events. Dare say, they are becoming almost routine.